On Sun, 06 May 2012 14:28:39 +0200, gregor herrmann wrote: > > https://bitbucket.org/shlomif/perl-config-inifiles/changeset/a08fa26f4f59 > > CVE-identifier assigned in here: http://seclists.org/oss-sec/2012/q2/225 > Here's the diff of this commit.
Next attempt ... -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Orquesta Chepin: Murmullo
# HG changeset patch
# User Shlomi Fish <shlo...@iglu.org.il>
# Date 1335945523 -10800
# Node ID a08fa26f4f59b683b605b927e41299848fd66895
# Parent 7409037da07b25c622ea2d758589e1dd9f518608
Fix the temporary filename problem.
diff -r 7409037da07b25c622ea2d758589e1dd9f518608 -r a08fa26f4f59b683b605b927e41299848fd66895 config-inifiles/Build.PL
--- a/config-inifiles/Build.PL Wed May 02 10:37:25 2012 +0300
+++ b/config-inifiles/Build.PL Wed May 02 10:58:43 2012 +0300
@@ -31,6 +31,8 @@
'Carp' => 0,
'Symbol' => 0,
'warnings' => 0,
+ 'File::Basename' => 0,
+ 'File::Temp' => 0,
'List::MoreUtils' => 0,
},
create_makefile_pl => 'small',
diff -r 7409037da07b25c622ea2d758589e1dd9f518608 -r a08fa26f4f59b683b605b927e41299848fd66895 config-inifiles/Changes
--- a/config-inifiles/Changes Wed May 02 10:37:25 2012 +0300
+++ b/config-inifiles/Changes Wed May 02 10:58:43 2012 +0300
@@ -1,4 +1,9 @@
-* Now requiring List::MoreUtils (for any() and other functions).
+* SECURITY BUG FIX: Config::IniFiles used to write to a temporary filename
+with a predictable name ("${filename}-new") which opens the door for potential
+exploits.
+
+* Now requiring List::MoreUtils (for any() and other functions), File::Temp
+and File::Basename .
* Add "use warnings;" to lib/Config/IniFiles.pm .
diff -r 7409037da07b25c622ea2d758589e1dd9f518608 -r a08fa26f4f59b683b605b927e41299848fd66895 config-inifiles/lib/Config/IniFiles.pm
--- a/config-inifiles/lib/Config/IniFiles.pm Wed May 02 10:37:25 2012 +0300
+++ b/config-inifiles/lib/Config/IniFiles.pm Wed May 02 10:58:43 2012 +0300
@@ -12,6 +12,9 @@
use List::MoreUtils qw(any none);
+use File::Basename qw( dirname );
+use File::Temp qw/ tempfile /;
+
@Config::IniFiles::errors = ( );
# $Header: /home/shlomi/progs/perl/cpan/Config/IniFiles/config-inifiles-cvsbackup/config-inifiles/IniFiles.pm,v 2.41 2003-12-08 10:50:56 domq Exp $
@@ -1331,11 +1334,10 @@
#carp "Store mode $self->{file_mode} prohibits writing config";
}
- my $new_file = $file . "-new";
- open(my $fh, '>', $new_file) || do {
- carp "Unable to write temp config file $new_file: $!";
- return undef;
- };
+ my ($fh, $new_file) = tempfile(
+ "temp.ini-XXXXXXXXXX",
+ DIR => dirname($file)
+ );
$self->OutputConfigToFileHandle($fh, $parms{-delta});
close($fh);
if (!rename( $new_file, $file )) {
signature.asc
Description: Digital signature
